MicrosoftDocs
diff --git a/‎articles/api-management/TOC.yml
Lines changed: 2 additions & 0 deletions b/‎articles/api-management/TOC.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/api-management/api-management-policy-expressions.md
Lines changed: 3 additions & 2 deletions b/‎articles/api-management/api-management-policy-expressions.md
Lines changed: 3 additions & 2 deletions
diff --git a/‎articles/api-management/api-management-using-with-internal-vnet.md
Lines changed: 1 addition & 1 deletion b/‎articles/api-management/api-management-using-with-internal-vnet.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/api-management/api-management-using-with-vnet.md
Lines changed: 2 additions & 2 deletions b/‎articles/api-management/api-management-using-with-vnet.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/api-management/media/private-endpoint/add-endpoint-from-instance.png
56.4 KB b/‎articles/api-management/media/private-endpoint/add-endpoint-from-instance.png
56.4 KB
diff --git a/‎articles/api-management/media/private-endpoint/create-private-endpoint.png
96.7 KB b/‎articles/api-management/media/private-endpoint/create-private-endpoint.png
96.7 KB
diff --git a/‎articles/api-management/private-endpoint.md
Lines changed: 237 additions & 0 deletions b/‎articles/api-management/private-endpoint.md
Lines changed: 237 additions & 0 deletions
@@ -181,6 +181,8 @@
               href: api-management-using-with-internal-vnet.md
             - name: Integrate Application Gateway in an internal virtual network
               href: api-management-howto-integrate-internal-vnet-appgateway.md
+            - name: Connect privately using private endpoint
+              href: private-endpoint.md
             - name: Mutual Certificate authentication
               href: api-management-howto-mutual-certificates.md
             - name: Manage CA certificates
 
@@ -7,7 +7,7 @@ author: dlepow
 
 ms.service: api-management
 ms.topic: article
-ms.date: 10/25/2021
+ms.date: 02/07/2022
 ms.author: danlep
 ---
 # API Management policy expressions
@@ -203,7 +203,7 @@ The `context` variable is implicitly available in every policy [expression](api-
 |<a id="ref-context-lasterror"></a>context.LastError|Source: string<br /><br /> Reason: string<br /><br /> Message: string<br /><br /> Scope: string<br /><br /> Section: string<br /><br /> Path: string<br /><br /> PolicyId: string<br /><br /> For more information about context.LastError, see [Error handling](api-management-error-handling-policies.md).|
 |<a id="ref-context-operation"></a>context.Operation|Id: string<br /><br /> Method: string<br /><br /> Name: string<br /><br /> UrlTemplate: string|
 |<a id="ref-context-product"></a>context.Product|Apis: IEnumerable<[IApi](#ref-iapi)\><br /><br /> ApprovalRequired: bool<br /><br /> Groups: IEnumerable<[IGroup](#ref-igroup)\><br /><br /> Id: string<br /><br /> Name: string<br /><br /> State: enum ProductState {NotPublished, Published}<br /><br /> SubscriptionLimit: int?<br /><br /> SubscriptionRequired: bool|
-|<a id="ref-context-request"></a>context.Request|Body: [IMessageBody](#ref-imessagebody) or `null` if request does not have a body.<br /><br /> Certificate: System.Security.Cryptography.X509Certificates.X509Certificate2<br /><br /> [Headers](#ref-context-request-headers): IReadOnlyDictionary<string, string[]><br /><br /> IpAddress: string<br /><br /> MatchedParameters: IReadOnlyDictionary<string, string><br /><br /> Method: string<br /><br /> OriginalUrl: [IUrl](#ref-iurl)<br /><br /> Url: [IUrl](#ref-iurl)|
+|<a id="ref-context-request"></a>context.Request|Body: [IMessageBody](#ref-imessagebody) or `null` if request does not have a body.<br /><br /> Certificate: System.Security.Cryptography.X509Certificates.X509Certificate2<br /><br /> [Headers](#ref-context-request-headers): IReadOnlyDictionary<string, string[]><br /><br /> IpAddress: string<br /><br /> MatchedParameters: IReadOnlyDictionary<string, string><br /><br /> Method: string<br /><br /> OriginalUrl: [IUrl](#ref-iurl)<br /><br /> Url: [IUrl](#ref-iurl)<br /><br /> PrivateEndpointConnection: [IPrivateEndpointConnection](#ref-iprivateendpointconnection) or `null` if request does not come from a private endpoint connection.|
 |<a id="ref-context-request-headers"></a>string context.Request.Headers.GetValueOrDefault(headerName: string, defaultValue: string)|headerName: string<br /><br /> defaultValue: string<br /><br /> Returns comma-separated request header values or `defaultValue` if the header is not found.|
 |<a id="ref-context-response"></a>context.Response|Body: [IMessageBody](#ref-imessagebody)<br /><br /> [Headers](#ref-context-response-headers): IReadOnlyDictionary<string, string[]><br /><br /> StatusCode: int<br /><br /> StatusReason: string|
 |<a id="ref-context-response-headers"></a>string context.Response.Headers.GetValueOrDefault(headerName: string, defaultValue: string)|headerName: string<br /><br /> defaultValue: string<br /><br /> Returns comma-separated response header values or `defaultValue` if the header is not found.|
@@ -212,6 +212,7 @@ The `context` variable is implicitly available in every policy [expression](api-
 |<a id="ref-iapi"></a>IApi|Id: string<br /><br /> Name: string<br /><br /> Path: string<br /><br /> Protocols: IEnumerable<string\><br /><br /> ServiceUrl: [IUrl](#ref-iurl)<br /><br /> SubscriptionKeyParameterNames: [ISubscriptionKeyParameterNames](#ref-isubscriptionkeyparameternames)|
 |<a id="ref-igroup"></a>IGroup|Id: string<br /><br /> Name: string|
 |<a id="ref-imessagebody"></a>IMessageBody|As<T\>(preserveContent: bool = false): Where T: string, byte[],JObject, JToken, JArray, XNode, XElement, XDocument<br /><br /> The `context.Request.Body.As<T>` and `context.Response.Body.As<T>` methods are used to read either a request and response message body in specified type `T`. By default, the method:<br /><ul><li>Uses the original message body stream.</li><li>Renders it unavailable after it returns.</li></ul> <br />To avoid that and have the method operate on a copy of the body stream, set the `preserveContent` parameter to `true`, as in [this example](api-management-transformation-policies.md#SetBody).|
+|<a id="ref-iprivateendpointconnection"></a>IPrivateEndpointConnection|Name: string<br /><br /> GroupId: string<br /><br /> MemberName: string<br /><br />For more information, see the [REST API](/rest/api/apimanagement/current-ga/private-endpoint-connection/list-private-link-resources).|
 |<a id="ref-iurl"></a>IUrl|Host: string<br /><br /> Path: string<br /><br /> Port: int<br /><br /> [Query](#ref-iurl-query): IReadOnlyDictionary<string, string[]><br /><br /> QueryString: string<br /><br /> Scheme: string|
 |<a id="ref-iuseridentity"></a>IUserIdentity|Id: string<br /><br /> Provider: string|
 |<a id="ref-isubscriptionkeyparameternames"></a>ISubscriptionKeyParameterNames|Header: string<br /><br /> Query: string|
 
@@ -44,7 +44,7 @@ For configurations specific to the *external* mode, where the service endpoints
 
 1. Go to the [Azure portal](https://portal.azure.com) to find your API management instance. Search for and select **API Management services**.
 1. Choose your API Management instance.
-1. Select **Virtual network**.
+1. Select **Network** > **Virtual network**.
 1. Select the **Internal** access type.
 1. In the list of locations (regions) where your API Management service is provisioned: 
     1. Choose a **Location**.
 
@@ -32,7 +32,7 @@ For configurations specific to the *internal* mode, where the endpoints are acce
 
 1. Go to the [Azure portal](https://portal.azure.com) to find your API management instance. Search for and select **API Management services**.
 1. Choose your API Management instance.
-1. Select **Virtual network**.
+1. Select **Network**.
 1. Select the **External** access type.
     :::image type="content" source="media/api-management-using-with-vnet/api-management-menu-vnet.png" alt-text="Select VNet in Azure portal.":::
 
@@ -43,7 +43,7 @@ For configurations specific to the *internal* mode, where the endpoints are acce
 
         :::image type="content" source="media/api-management-using-with-vnet/api-management-using-vnet-select.png" alt-text="VNet settings in the portal.":::
 
-1. Select **Apply**. The **Virtual network** page of your API Management instance is updated with your new VNet and subnet choices.
+1. Select **Apply**. The **Network** page of your API Management instance is updated with your new VNet and subnet choices.
 
 1. Continue configuring VNet settings for the remaining locations of your API Management instance.
 
 
@@ -0,0 +1,237 @@
+---
+title: Set up private endpoint for Azure API Management
+description: Learn how to restrict access to an Azure API Management instance by using an Azure private endpoint and Azure Private Link.
+ms.service: api-management
+author: dlepow
+ms.author: danlep
+ms.topic: how-to
+ms.date: 02/23/2022
+
+---
+
+# Connect privately to API Management using a private endpoint
+
+You can configure a [private endpoint](../private-link/private-endpoint-overview.md) for your API Management instance to allow clients in your private network to securely access the instance over [Azure Private Link](../private-link/private-link-overview.md). 
+
+* The private endpoint uses an IP address from your Azure VNet address space. 
+
+* Network traffic between a client on your private network and API Management traverses over the VNet and a Private Link on the Microsoft backbone network, eliminating exposure from the public internet.
+
+* Configure custom DNS settings or an Azure DNS private zone to map the API Management hostname to the endpoint's private IP address. 
+
+With a private endpoint and Private Link, you can:
+
+- Create multiple Private Link connections to an API Management instance. 
+
+- Use the private endpoint to send inbound traffic on a secure connection. 
+
+- Use policy to distinguish traffic that comes from the private endpoint. 
+
+- Limit incoming traffic only to private endpoints, preventing data exfiltration.
+
+> [!IMPORTANT]
+> * API Management support for private endpoints is currently in preview.
+> * To enable private endpoints, the API Management instance can't already be configured with an external or internal [virtual network](virtual-network-concepts.md).  
+> * A private endpoint connection supports only incoming traffic to the API Management instance. 
+
+[!INCLUDE [premium-dev-standard-basic.md](../../includes/api-management-availability-premium-dev-standard-basic.md)]
+
+## Limitations
+
+* Only the API Management instance's Gateway endpoint currently supports Private Link connections. 
+* Each API Management instance currently supports at most 100 Private Link connections.
+* Connections are not supported on the [self-hosted gateway](self-hosted-gateway-overview.md). 
+
+## Prerequisites
+
+- An existing API Management instance. [Create one if you haven't already](get-started-create-service-instance.md). 
+    - The API Management instance must be hosted on the [`stv2` compute platform](compute-infrastructure.md). For example, create a new instance or, if you already have an instance in the Premium service tier, enable [zone redundancy](zone-redundancy.md). 
+    - Do not deploy (inject) the instance into an [external](api-management-using-with-vnet.md) or [internal](api-management-using-with-internal-vnet.md) virtual network.
+- A virtual network and subnet to host the private endpoint. The subnet may contain other Azure resources.
+- (Recommended) A virtual machine in the same or a different subnet in the virtual network, to test the private endpoint.
+
+## Approval method for private endpoint
+
+Typically, a network administrator creates a private endpoint. Depending on your Azure role-based access control (RBAC) permissions, a private endpoint that you create is either *automatically approved* to send traffic to the API Management instance, or requires the resource owner to *manually approve* the connection.
+
+
+|Approval method     |Minimum RBAC permissions  |
+|---------|---------|
+|Automatic     | `Microsoft.Network/virtualNetworks/**`<br/>`Microsoft.Network/virtualNetworks/subnets/**`<br/>`Microsoft.Network/privateEndpoints/**`<br/>`Microsoft.Network/networkinterfaces/**`<br/>`Microsoft.Network/locations/availablePrivateEndpointTypes/read`<br/>`Microsoft.ApiManagement/service/**`<br/>`Microsoft.ApiManagement/service/privateEndpointConnections/**`        |
+|Manual     | `Microsoft.Network/virtualNetworks/**`<br/>`Microsoft.Network/virtualNetworks/subnets/**`<br/>`Microsoft.Network/privateEndpoints/**`<br/>`Microsoft.Network/networkinterfaces/**`<br/>`Microsoft.Network/locations/availablePrivateEndpointTypes/read`           |
+
+## Steps to configure private endpoint
+
+1. [Get available private endpoint types in subscription](#get-available-private-endpoint-types-in-subscription)
+1. [Disable network policies in subnet](#disable-network-policies-in-subnet)
+1. [Create private endpoint - portal](#create-private-endpoint---portal)
+1. [List private endpoint connections to the instance](#list-private-endpoint-connections-to-the-instance)
+1. [Approve pending private endpoint connections](#approve-pending-private-endpoint-connections)
+1. [Optionally disable public network access](#optionally-disable-public-network-access)
+
+### Get available private endpoint types in subscription
+
+Verify that the API Management private endpoint type is available in your subscription and location. In the portal, find this information by going to the **Private Link Center**. Select **Supported resources**.  
+
+You can also find this information by using the [Available Private Endpoint Types - List](/rest/api/virtualnetwork/available-private-endpoint-types) REST API.
+
+```rest
+GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Network/locations/{region}/availablePrivateEndpointTypes?api-version=2021-03-01
+```
+
+Output should include the `Microsoft.ApiManagement.service` endpoint type:
+
+```JSON
+[...]
+
+      "name": "Microsoft.ApiManagement.service",
+      "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Network/AvailablePrivateEndpointTypes/Microsoft.ApiManagement.service",
+      "type": "Microsoft.Network/AvailablePrivateEndpointTypes",
+      "resourceName": "Microsoft.ApiManagement/service",
+      "displayName": "Microsoft.ApiManagement/service",
+      "apiVersion": "2021-04-01-preview"
+    }
+[...]
+```
+
+### Disable network policies in subnet
+
+Network policies such as network security groups must be disabled in the subnet used for the private endpoint. 
+
+If you use tools such as Azure PowerShell, the Azure CLI, or REST API to configure private endpoints, update the subnet configuration manually. For examples, see [Manage network policies for private endpoints](../private-link/disable-private-endpoint-network-policy.md).
+
+When you use the Azure portal to create a private endpoint, as shown in the next section, network policies are disabled automatically as part of the creation process 
+
+### Create private endpoint - portal
+
+1. Navigate to your API Management service in the [Azure portal](https://portal.azure.com/).
+
+1. In the left-hand menu, select **Network**.
+
+1. Select **Private endpoint connections** > **+ Add endpoint**.
+
+    :::image type="content" source="media/private-endpoint/add-endpoint-from-instance.png" alt-text="Add a private endpoint using Azure portal":::
+
+1. In the **Basics** tab of **Create a private endpoint**, enter or select the following information:
+
+    | Setting | Value |
+    | ------- | ----- |
+    | **Project details** | |
+    | Subscription | Select your subscription. |
+    | Resource group | Select an existing resource group, or create a new one. It must be in the same region as your virtual network.|
+    | **Instance details** |  |
+    | Name  | Enter a name for the endpoint such as **myPrivateEndpoint**. |
+    | Region | Select a location for the private endpoint. It must be in the same region as your virtual network. It may differ from the region where your API Management instance is hosted. |
+
+1. Select the **Resource** tab or the **Next: Resource** button at the bottom of the page. The following information about your API Management instance is already populated:
+    * Subscription
+    * Resource group
+    * Resource name
+    
+1. In **Resource**, in **Target sub-resource**, select **Gateway**.
+
+    :::image type="content" source="media/private-endpoint/create-private-endpoint.png" alt-text="Create a private endpoint in Azure portal":::
+
+1. Select the **Configuration** tab or the **Next: Configuration** button at the bottom of the screen.
+
+1. In **Configuration**, enter or select this information:
+
+    | Setting | Value |
+    | ------- | ----- |
+    | **Networking** |  |
+    | Virtual network | Select your virtual network. |
+    | Subnet | Select your subnet. |
+    | **Private DNS integration** |  |
+    | Integrate with private DNS zone | Leave the default of **Yes**. |
+    | Subscription | Select your subscription. |
+    | Resource group | Select your resource group. |
+    | Private DNS zones | Leave the default of **(new) privatelink.azure-api.net**.
+
+1. Select **Review + create**.
+
+1. Select **Create**.
+
+### List private endpoint connections to the instance
+
+After the private endpoint is created, it appears in the list on the API Management instance's **Private endpoint connections** page in the portal.
+
+You can also use the [Private Endpoint Connection - List By Service](/rest/api/apimanagement/current-ga/private-endpoint-connection/list-by-service) REST API to list private endpoint connections to the service instance.
+
+
+Note the endpoint's **Connection status**:
+
+* **Approved** indicates that the API Management resource automatically approved the connection. 
+* **Pending** indicates that the connection must be manually approved by the resource owner.
+
+### Approve pending private endpoint connections
+
+If a private endpoint connection is in pending status, an owner of the API Management instance must manually approve it before it can be used.
+
+If you have sufficient permissions, approve a private endpoint connection on the API Management instance's **Private endpoint connections** page in the portal. 
+
+You can also use the API Management [Private Endpoint Connection - Create Or Update](/rest/api/apimanagement/current-ga/private-endpoint-connection/create-or-update) REST API.
+
+```rest
+PATCH https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ApiManagement/service/{apimServiceName}privateEndpointConnections/{privateEndpointConnectionName}?api-version=2021-08-01
+```
+
+### Optionally disable public network access
+
+To optionally limit incoming traffic to the API Management instance only to private endpoints, disable public network access. Use the [API Management Service - Create Or Update](/rest/api/apimanagement/current-ga/api-management-service/create-or-update) REST API.
+
+```rest
+PATCH https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ApiManagement/service/{apimServiceName}?api-version=2021-08-01
+Authorization: Bearer {{authToken.response.body.access_token}}
+Content-Type: application/json
+
+```
+Use the following JSON body:
+
+```json
+{
+  [...]
+  "properties": {
+    "publicNetworkAccess": "Disabled"
+  }
+}
+```
+
+## Validate private endpoint connection
+
+After the private endpoint is created, confirm its DNS settings in the portal:
+
+1. In the portal, navigate to the **Private Link Center**.
+1. Select **Private endpoints** and select the private endpoint you created.
+1. In the left-hand navigation, select **DNS configuration**.
+1. Review the DNS records and IP address of the private endpoint. The IP address is a private address in the address space of the subnet where the private endpoint is configured.
+
+### Test in virtual network
+
+Connect to a virtual machine you set up in the virtual network.
+
+Run a utility such as `nslookup` or `dig` to look up the IP address of your default Gateway endpoint over Private Link. For example:
+
+```
+nslookup my-apim-service.azure-api.net
+```
+
+Output should include the private IP address associated with the private endpoint.
+
+API calls initiated within the virtual network to the default Gateway endpoint should succeed.
+
+### Test from internet
+
+From outside the private endpoint path, attempt to call the API Management instance's default Gateway endpoint. If public access is disabled, output will include an error with status code `403` and a message similar to:
+
+```
+Request originated from client public IP address xxx.xxx.xxx.xxx, public network access on this 'Microsoft.ApiManagement/service/my-apim-service' is disabled.
+       
+To connect to 'Microsoft.ApiManagement/service/my-apim-service', please use the Private Endpoint from inside your virtual network. 
+```
+
+## Next steps
+
+* Use [policy expressions](api-management-policy-expressions.md#ref-context-request) with the `context.request` variable to identify traffic from the private endpoint.
+* Learn more about [private endpoints](../private-link/private-endpoint-overview.md) and [Private Link](../private-link/private-link-overview.md).
+* Learn more about [managing private endpoint connections](../private-link/manage-private-endpoint.md).
+* Use a [Resource Manager template](https://azure.microsoft.com/resources/templates/api-management-private-endpoint/) to create an API Management instance and a private endpoint with private DNS integration.